The internet has made the world feel small.
Case in point: Adult websites based in the U.S. are now getting letters from foreign regulators demanding compliance with their laws, even if they physically don’t operate in those countries. Meanwhile, some U.S. website operators dealing with the patchwork of state-level age verification laws have considered incorporating offshore in the hopes of avoiding these new obligations — but even operators with no physical presence in the U.S. have been sued or threatened with claims for not following state AV laws.
The era of ‘just follow your local law’ is over. Regulators throughout the world have realized that they can impose legal obligations outside their own country, and either encourage or force compliance through notifications and threats.
These competing demands for legal compliance by seemingly endless jurisdictions can make your head spin. This article will provide some guidance on who must comply with what laws in the “small world” of today’s online ecosystem.
The GDPR Lights a Fire
The concept of worldwide compliance really started to gain traction following the European Union’s adoption of the General Data Protection Regulation (GDPR), which took effect May 25, 2018. The GDPR’s data privacy regulatory obligations apply to websites that offer goods or services to individuals in the EU, accept EU currency, have websites in European languages or track EU residents via cookies.
Which websites qualify? The GDPR can apply based on two different criteria: “targeting” and “establishment.” The targeting criterion applies if processing of personal data is related to offering goods or services to individuals in the EU or monitoring their online behavior. The establishment criterion applies if such processing is in the context of the activities of a data controller or data processor. A data controller determines why and how personal data is processed, while a data processor — usually a third party — processes personal data on behalf of the controller.
Non-EU organizations must assess their processing activities to determine whether either or both of these criteria apply to them. If so, they must designate a representative in the EU.
Violating the GDPR can lead to fines. For less severe violations, that can mean up to 10 million euros or 2% of annual global turnover. For more serious violations, it can mean up to 20 million euros or 4% of annual global turnover.
The EU’s Court of Justice has upheld the power to demand data from foreign companies to assess potential violations, reinforcing the idea that companies operating outside Europe must comply with its laws. While many adult companies in the U.S. initially brushed off the idea of compliance with a foreign law, claims against large operators, such as the massive class action case against Microsoft in Ireland, have encouraged wider compliance with the regulation as a risk mitigation effort.
UK Online Safety Act Reinforces Extraterritoriality
More recently, key duties of the United Kingdom’s Online Safety Act (OSA) came into force as of July 25, 2025. This law imposes various obligations on online service providers such as search engines, adult website operators and user-generated content platforms.
To be considered a regulated platform under the OSA, the operator must have “links with the U.K.” That can mean having a significant number of U.K. users, the U.K. being the target or primary market for the services, or the service being accessible in the U.K. coupled with reasonable grounds to believe the service provides a material risk of significant harm to U.K. residents.
Violators can be fined up to 18 million pounds or 10% of global annual turnover, whichever is higher. Further, UK media regulator Ofcom, the agency tasked with enforcing the OSA, can apply for a court order blocking access to a service in the U.K. Certain criminal penalties also apply for senior managers who fail to comply with the OSA.
In early 2025, Ofcom sent hundreds of demand letters to adult website operators, informing them of their legal obligations under the OSA and demanding compliance with “highly effective age checks” to prevent minors from accessing adult content.
Thus far, it does not appear that Ofcom has successfully forced a U.S. company to comply with the OSA through a court order. Doing so would require involvement of a U.S. court and potentially a constitutional challenge, since some provisions of the OSA could conflict with the First Amendment, which applies in the U.S. However, many adult website operators have voluntarily complied with Ofcom’s demands, to avoid loss of service in the U.K. and potential involvement in expensive legal proceedings.
France Enforces its AV Law Against US Operators
Around the same time that Ofcom was issuing enforcement notices, French media regulator Arcom began notifying adult website operators in the U.S. that they would be expected to comply with France’s age verification law, known as SREN. Operators that had not already implemented age verification received formal notices of violation.
Failure to comply with SREN can result in penalties and administrative blocking of the affected websites in France. At least one administrative action has been filed against a U.S.-based violator, based on the accessibility of the content in France. This suggests that a physical presence in France is not necessary to assert a violation and institute enforcement proceedings.
As with the U.K. law, no U.S. court has yet assisted in enforcing SREN. However, given the risks of being blocked in France, many adult website operators have voluntarily complied with its requirements.
Sweden Bans Online Solicitation of Sex
Also in July 2025, a Swedish law took effect that criminalizes purchasing sexual services performed remotely, and imposes criminal prohibitions on violators, including websites that process payments for such sex acts.
This new law expanded upon the original Sex Purchase Act of 1999, which criminalized the purchase of sexual services in the physical realm. The updated law makes it illegal to purchase sexual acts that are performed online, such as by streamers and custom content creators for webcam performances or custom videos.
Under the law, anyone who pays someone to perform a sexual act online, without actual physical contact, is now subject to the same criminal liability as those who hire in-person sex workers. That includes liability for “procuring” such services, which could lead to enforcement against fan and webcam platforms, or conceivably even against creators who collaborate together.
There have been no known enforcement actions against foreign website operators, and the law appears limited to imposing criminal penalties. Any attempt to criminally prosecute a foreign website operator would involve a demand for extradition which would be governed by the applicable Mutual Legal Assistance Treaty or other extradition treaties between the relevant nations. Often such treaties require a finding of “dual criminality,” meaning that the activity must be illegal in both the requesting state — Sweden — and the “host” state where the alleged offender is located. Since solicitation of virtual sex acts is not widely prohibited throughout the world, formal extradition may be challenging. However, Sweden could point to prostitution laws which broadly prohibit the sale and solicitation of sex acts as grounds for finding dual criminality.
Again, given the threat of enforcement, many adult content platforms have responded to the law by banning direct engagement between Swedish users and models, as well as custom video requests.
US States Sue Foreign Operators Over AV
There have been numerous examples of U.S. states seeking to enforce their AV laws against website operators in foreign countries, including lawsuits in Texas, Kansas and Florida.
Any attempt to pursue such a claim in the U.S. triggers an evaluation of “personal jurisdiction” over the foreign company. Merely operating a website that is generally accessible to users in a given state is typically insufficient to allow a U.S. federal or state court to force a foreign operator to defend a claim on the merits. Doing so would violate due process in the U.S. Instead, the courts require that the operator have certain “minimum contacts” with the “forum state” where the case is pending, in order to establish personal jurisdiction. To be forced to defend, the operator must have purposely availed itself of the privilege of doing business in the forum state.
Cases involving personal jurisdiction are highly dependent on the facts. However, evidence showing that the defendant targeted users in the forum state, received a high volume of traffic from the forum state or regularly entered into contracts with residents of the forum state could be sufficient to establish personal jurisdiction over the foreign operator. The more connections a website has with a particular state, the more likely it is that the operator will be required to defend a lawsuit in that state.
Importantly, individuals are often named in addition to companies in U.S. court cases. A separate personal jurisdiction applies to each specific defendant in the case. Therefore, if a U.S. website operator were to transfer their company assets from a U.S. entity to a foreign company, while personally remaining a resident of the U.S., that individual beneficial owner might be subject to suit in this country even while the company itself remains legally out of reach.
The New Normal
The era of “just follow your local law” is over. Regulators throughout the world have realized that they can impose legal obligations outside their own country, and either encourage or force compliance through notifications and threats.
Fighting such efforts from afar can be expensive, and the risks increase if enforcement actions are ignored. Relocating an operating entity to a foreign jurisdiction is often a hollow effort if the intent is to avoid compliance with local law. Regulators and prosecutors often look past corporate formalities and demand compliance from ultimate beneficial owners. Authorities can trace digital footprints through records, contracts and transactions using subpoenas and production orders. Authorities in most of the developed world also cooperate with each other across international borders.
While worldwide legal compliance is complicated, operators can manage risk by identifying the most pressing concerns, carefully choosing their target markets and obtaining relevant legal advice on an issue-by-issue basis. The world may be getting smaller, but there’s still plenty of room for doing business as long as you know the rules.
Lawrence G. Walters heads up Walters Law Group, which has represented the adult entertainment industry for over 35 years. Nothing in this article is intended as legal advice. Mr. Walters can be contacted through the firm’s website, www.firstamendment.com, or on social media @walterslawgroup.
